from the perspective dept

Google really screwed up when its Street View cars accidentally collected data from open wi-fi networks around the world, and it's a good thing that the practice came to light and people called them on it—but that's where the good sense of the situation seems to end. It's really important to keep some perspective here: Google collected open wi-fi data and didn't do anything with it. In terms of potential breaches of privacy permitted by the user's own lax security, I'd say the "victims" got off easy in this case. But from the way lots of politicians and news outlets tell the story, you'd never know it.

Though Google has mostly wrapped up the issue in the US, it is still dealing with the governments in other countries, and the latest news is that it has been fined €145,000 in Germany. Since that's pocket change to Google, frustrated regulators are calling for bigger weapons with which to slay the giant:

The country's data chief called it "one of the biggest known data protection violations in history".

But the regulator admitted the amount was "totally inadequate" as a deterrent to the company.

...

Under European regulations, the maximum fine for an accidental violation is 150,000 euros - but data protection supervisor Johannes Caspar called for that amount to be increased in future.

In a statement, the regulators said: "Among the information gathered in the drive-bys were significant amounts of personal data of varying quality. For example, emails, passwords, photos and chat protocols were collected."

Like so much of the response to the situation, a lot of this is political grandstanding spread by media outlets that are perfectly willing to make people paranoid about Google. Scrutinizing Google's privacy practices is definitely a good thing—this is a company a lot of people trust with a lot of data—and when they screw up, as they did here, they should face the consequences. But assuming they have villainous intentions in everything they do is foolish, and misrepresenting what happened here is wrong.

For starters, people love to list off the things Google collected—emails and passwords and the like—to imply that this was some sort of organized spying scheme. What they leave out is that the Street View cars were just arbitrarily recording bits of data they picked up from the open wi-fi networks, and while it certainly did include sensitive bits and bytes, there was no system or plan for actually looking through the contents of this data or making use of it. You might as well say the garbagemen have been collecting financial and government information, since there are plenty of sensitive documents in the trash.

Note the careful choice of words in calling this "one of the biggest known data protection violations in history." Maybe it is the biggest, in terms of sheer scale, but it earns no further superlatives. It's not the worst, nor the most damaging, nor the most secretive, nor even the most technologically advanced. Just the "biggest" in the most technical sense, which doesn't really mean much at all.

Then there's this idea that the fine is inadequate to deter Google. While any law based around fines is going to face the potential problem of rich people ignoring it, things are once again being blown out of proportion here. The regulators want to tell the story of the big, bad, deep-pocketed company that can defy the law with impunity, so that they can level bigger fines with more impressive headline dollar figures in the future—but that leaves out any discussion of whether the fine itself is appropriate. You can't tailor a fine to the richest potential violator of a law... What if it had been a small German startup hoping to create a local competitor to Street View that had made this mistake? Would privacy regulators still be calling for higher fines? For that matter, would they have pursued it at all, or just told them to knock it off?

Conversely, if Google or another company had actually made use of all that sensitive data—if they had read people's emails, or stolen anyone's credit card info ,or even made a text-file list of logins and passwords that was clearly intentional—then there would be other things to go after them for. You can bet they'd be facing big lawsuits and much more serious charges if there was even a hint of genuine fraud or hacking—but despite the best efforts of investigators in several countries, no such hint has been found. Google is facing a limited fine for the limited charge of collecting data because that's all it did. And let's still not forget that this was data on open wi-fi networks—no more secure than a CB radio, despite the tech-mystique that may surround it.

So let's keep holding Google to the highest standards of privacy, but let's not turn it into a witch-hunt. Accusing them of flagrant data-theft for what was in fact a technical oversight is bad for everyone. Apart from the fact that disinformation is always bad, placing all the blame on Google means failing to teach people about the nature of open wi-fi, meaning many of them are probably still leaving their data out there for anyone to see. And if nothing else, we certainly don't want to provoke that "well, if they're going to say we did it anyway...." mentality in Google.

And if nothing else, we certainly don't want to provoke that "well, if they're going to say we did it anyway...." mentality in Google.

Now that would be something to have a remote tiny bit of worry. Other than that it's open wi-fi for god sake, people use that shit all the time and millions of cellphones retain data of open wi-fi they use.

But other than that it's fun to bash Google for any collective delusion possible. And maybe it's good to prevent Google from getting even bigger. Except that as pointed up startups may be nailed for honest mistakes..

Anyone leaving their home WI-FI unsecured needs to be thoroughly chastised here. I cannot think of any reason that anyone would want to leave their private networks open beyond negligence. Surely, you only want people in your home to access your network?

We need a widespread education campaign on the dangers of leaving home WI-FI unprotected.

Re:

There are plenty of legitimate reasons to leave WiFi open. Sharing the connection with friends without having to worry about remembering the key. Older technology compatibility (don't know if it's just me, but my new access point won't let me use WEP and my old tech won't use WPA). There's also the fact that WEP and WPA can be cracked easily and it's probably better to focus on internal security.

Re: Because GOT CAUGHT EARLY and stopped!

Re: Because GOT CAUGHT EARLY and stopped!

Blue, you are a raving lunatic. I think that's all that needs to be said. Everyone else can easily see the problems in your arguments, and since you're willfully blind to your own flaws, there's no point in me arguing them.

i would APPRECIATE it if Google told me my wifi is open. better to have someone tell me, than find out because someone else was using my internet connection to download all kinds of stuff that would get the Strikes system after me.

And, no, it isnt as easy as just flipping a switch. The hackers can see some keys in seconds - is mine one of them? using the Vendor provided solution - am I secure enough?

Re:

What amazes me is that when you buy and install a home WiFi router, it is still unprotected by default. You'd think that they would be pre-configured with WPA already turned on and with a default, random pass phrase installed.

Re: Cue the trollery

Re:

Anyone leaving their home WI-FI unsecured needs to be thoroughly chastised here. I cannot think of any reason that anyone would want to leave their private networks open beyond negligence. Surely, you only want people in your home to access your network?

There are plenty of reasons to leave your home WiFi open. The education focus should be on end to end encryption, not some arbitrary access point.

Re:

There's no perfect security with home WiFi, unfortunately. But you're okay with WPA and a long pass phrase. "ih8cats" is too short. Try something like "My kitty loves @#$% Taco Bell"

If you really want to do it right, you could go with a Enterprise WPA.

Another trick I've seen is to install the router on a separate subnet with no Internet connectivity. Then install a VPN server that bridges that subnet and the Internet. In order to connect to the Internet, you would run a VPN client on your computer that would hook up to the VPN server.

I'm sure there are other solutions as well: some free open source and some expensive and commercial.

When it comes down to it, though, the real answer is "You don't have to outrun bear. Just be faster than the guy behind you." As long as your security is better than the open router down the street, you probably don't have to worry about it.

Re:

Though I disagree with you about leaving WIFI unsecured, the fact that it's Germany saying they collected information only off of open WIFI connections. Ironically, I read in a previous article that having WIFI open is illegal and will get someone fined for it in Germany. (http://www.techdirt.com/articles/20100512/1116409394.shtml)

Re: Protection violation? what protection?

Re: Re:

I bought a WiFi router several years ago, the cheapest one available in Wal-Mart. It came pre-configured with a password printed on the bottom of the router. I actually can tell that most do since I've seen so many devices still named by their default locked when I'm looking for a connection.

Sometimes I think Google would be better off to just disconnect Germany and Italy and tell them when they get their laws straight they'll consider coming back. In the meantime, their competitors could face the made up charges and fines. It all appears to be a money grab with nothing beyond that in real intentions to address the real issues.

Goggle did not just set at one place sucking up data. To photo and image streets, it has to move. This means the data will at best be incomplete in what it could have collected compared to what it did collect. Funny I see no mention of this in the blame game.

There is certainly no law in the US requiring a router to be secured. You have to be network knowledgeable to set the password in a router, in a place where most don't even know you can access the router setup page. I remember my first realization that a router had to be setup to port forward. It was confusing as all get out. All the nomenclature is entirely different than computereze. The first wall you run into is just understanding what they are talking about. The next wall you run into is that no two makers call things the same. There is no standardization in either nomenclature nor in method to do any operations in a router between makers. You are on your own with the manual (if you were lucky enough to save it) in trying to understand how to get from point A to point B. Nothing in the router tends to make it any easier.

For the unknowledgable, there is no warning in most router setup pages about WEP being insecure. They will merely offer you the choice of using it without any warning whatever.

So good luck on getting the public up to speed with being a network wizard when they have enough problems trying to understand how to secure their computers.

Re: Re:

i've left mine open before. Also, my smartphone tethering wifi hotspot is set to open also. I often turn that on in airport lounges as an anonymous nice thing to do if no other open hotspot is available.

I really wish they would make routers that had a dual secure/ open option. So you could work on the secured line but dedicate a set amount of bandwidth to form a sort of community cloud.

Re:

No, not an insider, just the employer of Mike Masnick.

You keep saying that and it will continue to be wrong every time you say it. Amusingly just minutes after you posted your incorrect claims, we posted yet another article criticizing Google. Hell, even this post criticizes Google.

I have never been employed by Google.

I know, I know, if you continue to lie and say things that aren't true, you can avoid actually responding to arguments.

Masnick you are critical of Google just as a mother is critical of her baby for shitting it's nappies.

We get it, you hate them, but they feed you so you are an apologist for them. You try to walk the fine line of trying to 'appear' unbiased, but it the end of the day, Goolag puts food on your table, and allows you to do this as apposed to a real job.

Re: Re: Re:

Given the nature of the law and the requirements it places on Google, all of this is somewhat understandable, and would be somewhat excusable but for one thing:

But the buck hardly stops at Google. It doesn't even really land there.

yes, really hard hitting stuff, you really stuck it to Google that time Masnick, I bet they are still in a state of shock !!!! Horrified at what terrible things you will write next about Google, your overlords.

DO you type these things, while laughing loudly and yelling "SUCKERS WILL BELIEVE ANYTHING I WRITE !!!".

Re: Re: Re:

Most modern routers do do this. When you get a chance, log on to your router. More than likely, it'll be called a Guest account, one that allows anyone to connect to the router and access the internet, but isn't allowed see the other devices on the network.

Re: Re:

Re: Because GOT CAUGHT EARLY and stopped!

"PROVE THAT."

I see you don't understand how burden of proof works. Not surprising...

Multiple investigations around the world have failed to find evidence of Google doing anything with the data collected, let alone something bad. What do you know that everyone involved in those investigations somehow missed?

Re: Re: Re: Cool

Re: Today Bank robbers steal $10 million dollars

If you engage your brain for a second you might realise that anyone with a laptop can walk down the road and do exactly what Google did, and there is nothing illegal or punishable about it. Hopefully you'll then see how stupid your analogy is.

Re:

Yet you will never show any proof of any of the statements you make, here. Show your evidence that Mike is not only employed by Google (selling ad space isn't employment), and makes enough money from this "job" to put food on the table. Until you can actual give valid citations, you're just pissing in the wind, and we'll keep reporting you.

Re: Re: Re: Re: Cool

Another essay that went off in a completely different way originally imagined. Its possible that I agree with the concept of the article but not the analogy used? Analogies are risky in that they are only similar concepts, used to explain more complex arguments, and function just to the extent that they do and not beyond.

“Street View cars were just arbitrarily recording bits of data they picked up from the open wi-fi networks”

This attitude of Google to arbitrarily record and commercialize all the 'little bits' of personal data/info of the daily lives of people/suckers is quite bothering.

The analogy to garbage picking was interesting but may not have gone far enough. How would anyone feel about a company that scanned all your sensitive garbage before it entered the garbage truck? Its already technologically feasible.

Just think of all the bank account, credit card, stock broker statements that could be scanned as this would set the victim up as a mark for whatever sized scam is needed to fleece any of their cash. With a decent NSA recombination program even torn or shredded documents can be recreated.

Don't forget all the used condoms or KY refills to be counted also just to target your email for some more Viagra spam offers or coupons to redeem at the local sex clinic addressed to your house with your name on it in a colorful envelope with ads on it? (even a plain unmarked envelope would be scary)

Throw out any dirty magazines that the local kids missed? Whats your particular taste or style in uninhibited sex or unrequited love? Yes there will be free samples sent to your mailbox with vibrant ads clearly placed. (Or not as maybe they would be more sensitive than Google or govt agencies might be.)

Throw out some embarrassing love letters or other emotionally charged content? Thats right the garbage scan (scam) man might have a little side business related to the local copyporn troll lawyer... Prepare the divorce papers in advance. Make any photo copies of those dirty magazines? (For an extra fee your bank and credit info will be included.) The illicit commercial possibilities are endless!

Not to be forgotten are the selfish government agencies that are never satisfied with only a little collection of your personal data. Because we are all potential terrorists (pointless to deny such childish accusations) working for foreign interests this will be decried as a valuable augmentation to that new police camera on the street lamp post in front of your home looking at your bedroom window.

The examples are endless... In short; Garbage is just to sensitive an area to waive off with conjecture.

If Google really did collect more than just the Wi-Fi account names that might be incriminating grounds for privacy invasion. Since they seem to have not used it (hahaha) there might not be much to fuss about but that is not a problem. Other issues pop up. (keep reading)

Making this analogy more complex is the fact that in the US, for reasons of legitimate salvage, garbage is considered abandoned goods once its put out on the curb. If we feel the need for more protection of privacy some legislation might be needed. Some already exists for the protection of bank and credit card info but its sketchy.

“if Google or another company had actually made use of all that sensitive data”

Agreement that Google did not use any of the data is good but that is most likely because of the public outcry about the gathering of such. Google is fairly public opinion savvy with one of the industries best tools for such analysis right at their fingertips. (the data gathered from the Google search engine)

Its not realistic to imagine that any corporation (Google in this case) would not use this data. They just had not found the time, way to use it or way to fit it into their database yet. Even if a data collection firm did not use abuse a credit card number it would still be intel gathered. Used for ID of on-line identity? At least its worth a check mark on a list (of what?) that the homeowner actually had and used a credit card on line?

Remember we are talking about human herd instincts. Corporate, mentality being what it is, usage of any personal info is unavoidable. Without the hammer of serious law on the side of private citizens all will be considered fair play while the average individual will be in the frying pan. You are the meat that runaway govt and corporate animals will dine on.

Agreement on holding both governments and corporations (Google in this case) to a high standard but our current ideals may not be good enough. It may be true that no laws were broken and as such no fines or penalties would incur but the potential for corporate abuse is large.

“And let's still not forget that this was data on open wi-fi networks”

There are different levels of open. Just leaving a router open for Internet use is one thing but leaving your computers open for sharing is insane. Yes the Wi-Fi diapers need to be changed for these infant level computer users but such are the expected growing pains for new tech culture. Most users have never even logged onto the setup pages forcing this duty onto a younger family member. (more on this complicated privacy issue below)

Reactionary,

There are of course some real tech legacy issues to deal with also as Chronno pointed out.

Open Wi-Fi is not a bad thing in itself and not necessarily a security problem if set up correctly. Just making it illegal is just stupid and helps nobody. (many posts)

Tomxp411; brought up some interesting legal definitions of which all seem correct. Not always known is that they are based on the various wire laws derived from the constitutional mistake of not considering analog or digital communications as part of free speech or the Bill of Rights.

Privacy is privacy but the issue of what is private is in flux. A no trespassing, private property sign is required to protect land and provide the 'expectation of privacy' that courts recognize. What is the difference between a private and public format? When we put a letter into an envelope it is recognized as private as compared to a post card which is not.

Location of the Wi-Fi router might also be an issue with its range of serviceable area. Is this router located in a farmhouse miles from any other house and its completely on private or leased property?

What about the mental fitness of the wi-fi operator? An elderly, ill or mentally handicapped person would not be expected to be able to do what a normal person would.

Encryption is a great technological envelope to use (and please do!) but what if we developed our own format or encoding (and did not publish the specs) would that not another private way to communicate?

Re: Re: Re: Re: Protection violation? what protection?

"Do you understand the technological side of what happened?"

Oh come on, when have these guys ever known what they're talking about? I wonder if this is the same AC I had an argument with a couple of yours ago when he was swearing blind that WEP was secure and thus it removed the hacked defence for wifi being misused?

I certainly wouldn't be surprised, only disappointed that such a regular stalker has learned literally nothing about the technology issues he's arguing about...

Re: Re: Re:

or this:So let's keep holding Google to the highest standards of privacy, but let's not turn it into a witch-hunt. Accusing them of flagrant data-theft for what was in fact a technical oversight is bad for everyone

Re: Re:

1. Your ISP typically prohibits sharing.
2. Your home WiFi can be used to do illegal things, and you're the one that gets stuck with the court case or police raid.

Sure, you can argue your case in court, but do you really want to have to go there? When it comes to child porn, for example, people are guilty in the public eye until proven innocent. I know of a few people locally that have lost their jobs and reputation due to simple unfounded accusations.